I am trying to configure the authentication and authorization for a new NetScaler Gateway instance. I want to use our existing SAML Identity Provider for authentication, so I set up the gateway as a SAML Service Provider. I configured my SAML server and policy, and bound the policy to the NetScaler Gateway virtual server as the primary authentication policy. I then created an LDAP server (with authentication disabled) and policy, and bound the policy to the NetScaler Gateway virtual server as a Group Extraction.
I was thinking that the SAML policy would be processed, my user account would be authenticated, and then my user account could be used by the gateway to perform the group lookup via LDAP. Instead, the SAML policy is processed and the Group Extraction policy is not. I was hoping to use the Group Extraction results for authorization in conjunction with AAA groups. So far, no results from my open case with Citrix support. I'm hoping some of the bright folks here have achieved this or can help me figure it out.
Authentication = SAML
Authorization = LDAP groups
Another acceptable option would be if there were a way to extract groups from the SAML response and use those for authorization. I haven't been able to figure out how to do either of these.